Apr 29, 2008

Emloyee education key to successful enterprise security

All the technology in the world won't help if your employees don't follow security policies, so how can you win them over?

Money can buy you many things, it seems, but not perfect security. Organisations have been investing in IT security over the past few years, but laptops and disks full of sensitive data are still going missing and corporate networks are still being hacked.

In all these breaches, the common link has become increasingly obvious: employees. Whether they are failing to abide by corporate policies, simply don't know about them, or work in a company that has no security policies in place, staff are mailing out millions of user accounts without proper encryption, giving out passwords over the phone and double-clicking on attachments that promise naughty pictures of Angelina Jolie.

A recent survey of 1,000 IT managers by mobile data security specialist SafeBoot showed that 54 per cent of respondents felt that the majority of their employees ignore company security policies, mainly due to a lack of understanding and "not taking it seriously".

The answer then should be clear: educate employees about the risks and what they should be doing to reduce them. And indeed, some companies are already doing that. But SafeBoot's research shows that 98 per cent of IT managers rely on memos and emails to communicate security. As Tom de Jongh, product manager at SafeBoot, points out: "You can't trust employees to read memos."

So what is the best way to teach employees about security - and get them to follow the advice? The first step is to realise that not everything is going to happen overnight. "You need to change the culture of the organisation over several years," says Martin Smith, chairman and founder of The Security Company. Smith, who started his career in military counter-intelligence and counter-espionage, has been trying to convince businesses of the importance of security awareness for 20 years.

"It's heartbreaking," he laments. "Infosec is focusing frantically on technology, but it doesn't matter what you spend on security unless you bring people with you. If staff could just know some basic stuff, it would all go away."

Generating this culture of security is an important component of overall security awareness. "There's an awful lot that users need to know - too much," Smith adds. "They're overloaded with information they're not really interested in - it's boring." Rather than trying to teach people using courses, he advises to have constant reinforcements of messages about the importance of security in conjunction with a place for employees to find out information.

Bad awareness education can be even worse than no training at all, Smith suggests. "Employees will always ask: 'What's in it for me?'. If all people see of security is a boring course once a year that effectively pushes the problem on to them so that the security team's arse isn't on the line, that's not a huge sell." Measures such as providing somewhere for employees to find out security information, letting them know that breaches in security could cost the company severely, creating a culture of security and not forcing them to do anything, are far more likely to make employees security aware.

Assuming the constant reinforcement of the message is getting through, employees who are about to perform an action that might be potentially dangerous will pause to think and consult the knowledge zone for the correct procedure. "Then you'll have employees thinking: 'Send out 25 million bits of information? That doesn't sound right. I'll just check the knowledge zone,'" Smith says.

Obviously, creating an intranet knowledge zone or having a security support team to answer queries takes resources. Cliff May, consulting manager at Integralis, often has to teach employees of client organisations about security as part of ISO27001 audits. He uses seminars and e-learning packages to educate users, but prefers seminars. "E-learning is not as effective. If you run tests, sometimes people get the answers off someone else - it's a paper exercise they just want to get over with."

Nevertheless, they can work well if you're prepared to invest in them properly. Paul King is a member of Cisco's security programmes organisation, which runs training around the world. As well as an initial induction programme that uses face-to-face training, Cisco uses e-learning systems featuring specially shot videos put together by professional video makers. "We keep them quite short, simple and interesting. There are also questions interspersed throughout, although they're not as hard as an exam."

Cisco has an internal home page with links to take people through to the e-training videos. Using web analytics, the company monitors which employees have been watching videos. "Everyone in the organisation understands that the need for security awareness comes down from John Chambers (Cisco's CEO)." But if employees aren't watching the videos they're supposed to be watching, their line managers will be asked why.

King says the company can also tell how effective training has been through other means. A recent video on "shoulder surfing" emphasised the importance of using privacy screens when working on laptops in public places. A link next to the video took the user to a place where they could buy a screen through their department's budget. "Take-up was huge. Lots of people now have screens on their laptops. That's our measure."

Cisco only produces a few of these videos. For the most part, it provides a constant background of security information to create a secure culture. It uses poster campaigns and newspapers among other things. A recent effort suggested employees should think of themselves as "security champions", trying to keep the company safe.

However, Robin Adams, head of the security division at the Logic Group, cautions against relying on posters. "The feedback I get is that posters work for about a month." Similarly, signs to remind users of good behaviour tend to fade into the background within days.

Although seminars can be expensive and not as effective in the long-term as other methods, they can work well in small companies. Firebrand offers low-level training courses that clear away jargon and acronyms - something that can creep in if security staff put on their own seminars without input from marketing, training or HR departments.

David Cole, academy team leader and senior consultant at risk consultancy DNV, suggests that role-playing works well in workshops and seminars. "There's a danger in infosec training that you end up showing slide after slide," he warns. "But you need to make it fun. You can have training exercises and create a scenario that builds slowly over the day."

May at Integralis uses anecdotes from his forensics career to enliven his sessions. "You get senior people turning up because they hear it's interesting. If you can add a bit of humour, they can enjoy proceedings." He also advocates the use of role-playing: "They have to think for themselves. It's a good way of making it sink in." Nevertheless, although he is in favour of induction courses, he considers a presentation by itself "virtually worthless".

It could be you

Getting employees to pay attention to all these messages usually involves sticks and carrots. Annual exams can test how much has actually sunk in. Strong punishments for people who have knowingly broken security policies can set an example and demonstrate the company is serious about security. But the Logic Group's Adams says that, in his experience, painting a worst-case scenario of what could happen works "amazingly well" when it comes to convincing staff to abide by the policies anyway. "If you explain that credit-card companies might take away their ability to process cards for orders, together with the effect that would have on jobs, people really listen." Explaining what information might be worth to criminals also helps, he adds.

Ultimately, no matter how good security technology becomes, people will always be a weak link. Ignoring this fact is, as Smith suggests, like focusing on brain surgery when the patient is dying of the common cold.

TOP TEN TIPS FOR YOUR STAFF

1. Make sure that all redundant equipment, documents and waste are removed as appropriate. It's no use protecting data on your PC if it's on your desk for everyone to see.

2. Lock your workstations when left unattended and log off at the end of your working day.

3. Don't share computer passwords except under the most exceptional emergency circumstances.

4. Don't make your password easy to guess. It should be at least eight characters, different for each account and not based on personal things such as dates or pet names.

5. Organised crime is at work and the average criminal is more motivated to steal from you than you are to defend yourself.

6. If you have a laptop, don't leave it on display in your car. Get a laptop cable lock. Many thefts are crimes of opportunity.

7. Avoid working in a public place, you never know who's watching. If you must, get a privacy protector.

8. Do not connect devices such as iPods, USB drives or even CDs to your PC without checking with IT - these can all carry malicious software.

9. Don't reveal details of your work security with anyone. If someone is trying to break in, they'll try to get as much information as possible.

10. If you think something is suspicious, report it. Many crimes are successful because earlier, unsuccessful break-in attempts weren't spotted by the right people.

CASE STUDY: RICOH

Japanese digital office-solutions company Ricoh has nearly 82,000 employees and offices in more than 150 countries. Three years ago, the company decided to go for a single global certification for ISO27001.

Kevin McLean, information security manager at Ricoh Europe, has been in charge of the EMEA aspects of the certification. "In order to achieve the certification, we created a project team. The team worked with the IT, HR and facilities management departments to establish the information security management system (ISMS) with a focus on access control, from IT systems to buildings. Recruitment policies were reviewed to cover the management of contractors and permanent personnel."

However, McLean knew that employee awareness would also be a vital part of both certification and the company's security policy. "While we strive to be as strong as can be with physical security, it can all be undone by people," he says.

So he and his team created a security awareness programme. They began with pilots in a number of offices, including the company's European HQ in London. They also set up ISMS business representatives groups, bridging units at each pilot area between their own division and the rest of the company, which met to decide activities and projects designed to improve employee awareness. "We tried a number of things to see how they were received." Since the pilot project at the HQ was in a relatively small area, it was possible to take advantage of "water cooler" chat to discover how much of the message was getting through. Managers told them that more staff were wearing ID badges, clearing their desks at the end of the day and performing other actions they had been advised to perform.

To get the message across, the unit devised initiatives including informal launches, articles on the intranet, a staff handbook and mandatory awareness training. Staff were also given free gifts, including a personal alarm and SIM card replicator, to reinforce the security message. A set of "11 commandments" based around the "DOIT" slogans ('protecting documents, office and IT') further added to the message.

"HR and marketing helped come up with the slogans," recalls McLean. "And HR were able to tap training and similar resources." Seminars and workshops involving role-playing allowed staff to explore security issues related to their working day. "Employees weren't interested in big picture stuff. It was all about 'How does this affect me?'"

Although Ricoh now has the certification, McLean says the programme will continue. "We're always going to be improving it."

WORKING WITH OTHER DEPARTMENTS

If security is seen as an IT issue, it will be left to the IT department to sort it out. Apart from the crippling amounts of extra work, that will mean security being someone else's problem rather than an issue for the whole company. So it's important to get other departments to work in conjunction with IT to ensure that the security message gets through and is seen as everyone's concern.

This usually involves board-level support as well as a "bridging unit" or a business relationship manager, depending on the size of the company, to liaise between IT and other departments. If you can get funding from those departments, they will be far more committed to the issue than if they are merely asked to give up their time.

The HR and legal departments can be useful, as they can ensure that employee contracts include suitable rules about security and IT use, together with appropriate actions in case employees break them. This means that if someone does cause a security breach, the contract, together with the training given to them, significantly reduces the chance of a lawsuit for unfair dismissal being filed against the company. Liaising with HR means security training can be part of the induction programme, avoiding the problem of security being seen as something "other".

Marketing, training and other corporate communications departments have those vital people skills that some IT specialists lack. When creating awareness campaigns, marketing can help to devise the most effective methods of getting the message across. And while IT can certainly provide the information about security that needs to be given to employees, a training or HR department is far more likely to be able to deliver seminars and courses in a way that non-technical people will appreciate.

EU Commission says payment fraud moving to the internet

In spite of efforts to halt electronic fraud, the internet has remained a dangerous place to do business, according to a report from the European Commission.

In spite of efforts to halt electronic fraud, the internet has remained a dangerous place to do business, according to a report from the European Commission. It reported 10 million fraudulent transactions that cost European Union merchants a cumulative 1.5 billion Euros (US$1.5 billion) in losses each year.

In particular, the report, which is available here, noted a significant increase in what it called "skimming fraud." This is the practice of illegally coping the data on magnetic strips, then producing counterfeit cards that are used in non-EVA (Europay, Visa, MasterCard) terminals and for non-face-to-face environments such as internet payments, the report indicates.

The EU Commission report on fraud and countermeasures taken between 2004 and 2007 reveals that although the number of fraud cases is a small percentage of the overall number of transactions using new payment services, the fraud weakens the overall confidence level of European Union residents.

Apr 23, 2008

Bullying probe over death of girl

THE coroner will investigate the death of a Melbourne teenager who took her life after claiming she was bullied.

Sarah Jean Walker, 17, died in her family's western suburbs home earlier this month.

It is believed the VCE student was involved in a spat with another teenager about a fortnight before she died on April 7.

Sources said Sarah left notes saying she had been bullied and taunted.

Police are believed to have seized notes and several personal items, including her mobile phone.

Described as a happy student and keen hockey player, Sarah left behind her grieving father Doug, mother Evelyn, stepmum Kerrie and a younger sister.

Mr Walker said the family did not blame the school or any individual for the tragedy.

But they encouraged youths to consider other people's feelings.

"Be kind to others and be careful what you say to people," Mr Walker said.

The Walkers said it was too early to conclude what had compelled Sarah to take her own life.

The principal of Mount St Joseph's Girls College distanced the school from the bullying claim. "Our sole priority at this time is with the family," Regina Byrne said.

Apr 22, 2008

Customer churn costing Australian business $1.5 billion a year

Customer churn is spreading beyond the banking and telco sectors costing Australian business more than $A1.5 billion a year.

It is now affecting utilities, travel, insurance and a host of other industries, according to a survey of 4000 consumers in seven Asia Pacific countries.

Around 600 of the survey respondents were from Australia with figures showing 92 per cent of local consumers have at some point switched a service with almost six out of 10 having changed suppliers in the last 12 months.

It shows that switching suppliers is a national habit for Australians with those in the 25-34 year old bracket the worst offenders - switching 50 per cent more often than any other age group in the past year.

The highest income bracket in the research also switched the most often indicating that something other than price, as a proportion of disposable income, is the driver for churn.

According to the BMC Software Churn Index for the Asia Pacific, this switching merry-go-round is costing Australian business around $A1.584 billion per annum when the cost of a single customer is multiplied by the average number of churns per annum (1.1) and the adult population (13.2 million).

The number one reason for switching is price followed by service problems which highlights IT's role in fostering customer loyalty.

Commenting on the results, University of NSW school of marketing, professor Adrian Payne, said churn has become enemy number one for business.

"The index results are a clear wakeup call for business; they need to know when services are going wrong and which customers are affected," Payne said.

"Without that insight, they run the very high risk of that customer switching at some stage."

The index found that the cost of poor IT can have long term implications.

Payne said that many factors including financial incentives are used to attract new customers, but the continuous cycle of cost cutting and financial kick-backs are not a healthly long-term business strategy.

"Companies spend substantial amounts of money attracting new customers, but often end up losing them because of poor service, an outage or a frustrating experience with the help centre," he said.

"Optimising the IT infrastructure can make a difference, utilising automated service assurance and help desk processes can make a marked difference in the customer experience and drive greater customer loyalty."

Telephone companies, banks and insurance companies have the highest historical churn rates with 64 per cent, 63 per cent and 60 per cent respectively.

Pay Attention! Brain Scanners Detect Slip-Ups Before You Do

A mindless mistake on a monotonous task may feel like a momentary glitch, but its mental roots run deep. In a study published today in the Proceedings of the National Academy of Sciences, researchers used fMRI machines to record neurological patterns preceding careless errors. The recordings revealed a cascade of shifting activity in the parts of the brain associated with focusing attention and maintaining routines. Researchers observed test subjects' minds going on autopilot up to half a minute before the subjects actually made mistakes, even though the subjects weren't aware of their own lapses of attention. If he same mechanisms produce other, more meaningful errors -- slips on the assembly line or behind a steering wheel -- then the research could be used to design biofeedback systems that could catch mistakes before they're made.

RSA finds new malware enhanced phishing technique

RSA said Monday that it discovered a new phishing technique that uses elements of a malware attack to swipe personal information.

The discovery illustrates a series of attacks from the Rock Phish group, which is a gang reportedly based in Russia that has been targeting financial institutions since 2004.

Among RSA’s key findings:

  • Rock Phish attacks account for 50 percent of phishing incidents and have stolen “tens of millions of dollars” from bank accounts.
  • This is the first time crimeware has been used in a Rock Phish attack.
  • Victims of these phishing attacks get their personal data stolen and are infected by the Zeus Trojan. Double the pain for victims.

Apr 21, 2008

One in five 'won't work with depressed person'

ONE in five Australians would not work closely with someone suffering depression, and older men and migrants tend to view the illness negatively, a study reveals.

Despite research suggesting one in five Australians experience some form of mental illness each year, an Australian study of more than 6000 people found that just as many would be against working with a depression-sufferer.

About 20 per cent of the people surveyed by researchers from the Australian National University and the University of Melbourne said if a colleague had depression, they would not work closely with them.

The researchers also found that older males and people born overseas were more likely to have a negative view of those suffering depression than most other Australians.

Lead author of the study and mental health expert Kathy Griffiths said the results of the survey were “startling”.

Apr 15, 2008

Shock: Some major anti-virus vendors fail

Security vendors such as McAfee, Sophos, Trend Micro, BitDefender and Avast have failed VB100’s anti-virus, anti-malware test on Vista SP1, while Symantec’s Norton Anti-Virus, AVG, Kaspersky and, surprisingly, Microsoft’s OneCare, have passed the test with flying colours. Some big security names have been tripped up in a recent Virus Bulletin VB100 test to see which security products provided the most protection against a range of ‘in the wild’ malware and virus threats. In total, only 17 of 37 products tested failed to gain a perfect rating, underscoring that just because you have an Internet security product installed, you may still be vulnerable to malware and virus threats online.

Virus Bulletin says the VB100 award was first introduced in 1998, and that security vendor products must have demonstrated in VB100 tests that the software has a 100% detection rate of all “In the Wild” viruses during both on-demand and on-access scanning while generating no false positives when scanning a set of clean files. Full details of Virus Bulletin’s testing procedures are available online.

'OpenMac': A Poor Man's Macintosh


In a move that's sure to get the attention of Apple's lawyers, one company has started advertising a new $400 hackintosh dubbed the "OpenMac." Mind you, it's not the desktop's name that's likely to cause trouble, but rather the fact that Psystar (the company selling the machine) is claiming it will ship with a fully compatible version of Leopard.

This is apparently accomplished with the help of an EFI emulator and a few drivers.

Says Psystar:

With the EFI V8 emulator it is possible to install Leopard's kernel straight from the DVD that you purchased at the Apple store barring the addition of a few drivers to ensure that everything boots and runs smoothly.

Now, it's clear the company is trying to market the OpenMac as a cheaper, more expandable alternative to a real Mac, which is great. But Apple's End User License Agreement is pretty clear about where its OS can appear: That would be Apple-branded hardware exclusively. And while it's one thing to do a little tinkering on your own, I suppose it's quite another for a company to do it for you — and potentially make a profit off of it.


Note: Psystar is at least making people pay for certified copies of Leopard

Band-Aid approach to cyber security

ALLOWING companies to intercept their employees' emails without their consent, as proposed by the Federal Government, would do little to protect the nation's critical infrastructure from a potentially devastating attack from hackers and terrorists, according to cyber security experts.

The assessment came as privacy and civil liberties groups expressed alarm that the new powers could allow employers to conduct intrusive searches that had little to do with security.

As revealed in the Herald yesterday, the Attorney-General, Robert McClelland, said he was considering the new legislation in the wake of growing concern among security authorities about an attack on the vulnerable computer networks that underpin essential services and industries in the modern economy. Such critical infrastructure includes the financial system, power grid, telecommunications and transport networks, among others, employing millions of workers.

Asha Rao, an information security expert at RMIT University in Melbourne, said the policy was little more than a Band-Aid to a more pervasive problem. "Basically, these companies need to get their information systems up to scratch," said Dr Rao. "I'm worried that this law removes the onus from companies to have up-to-date security systems."

Another leading information technology (IT) expert, who asked to remain anonymous because he had work pending with the Government on cyber-security, said: "The problem is that the IT security model is broken on a fundamental level."

"Viruses, zombie botnets, whatever. They are developing faster than anyone can catch them," he said. "With an open internet, you can't guarantee security. These [critical infrastructure] sectors need to build new systems that are independent of the internet [and] that's going to cost a lot of money."

Mr McClelland stressed yesterday there would be strict protocols to ensure the information in emails was not misused if the new powers were introduced.

"Such as, for instance, disciplinary matters regarding the employees' conduct or any other privacy issues," he said. "In other words, you're not interested in communications from employees' friends, their children, other family members."

The Deputy Prime Minister, Julia Gillard, said the threat of a cyber-attack by terrorists was real, and the consequences potentially huge. "If our banking system collapsed, if our government electronic systems collapsed obviously that would have huge implications for society," she said. "I promise we are not interested in the email you send out about who did what at the Christmas party."

Dale Clapperton, chairman of Electronic Frontiers Australia, was briefed on the proposal by the Attorney-General's Department yesterday and said there was a case for improving laws to allow private companies to weed out viruses and spam. "There is still a risk of these powers being abused and the negative effects on privacy may outweigh any positive effects," he said. "The fact is that a network supervisor in a company or local government authority may not have the same honourable intentions as Ms Gillard."

The Opposition legal affairs spokesman, George Brandis, said he was worried about giving companies the power "to act, in effect, as a quasi-law enforcement or investigative authority".

The Offshoring of Airplane Care

Hangar No. 1 at San Salvador's airport is hopping. Technicians employed by jet maintenance contractor Aeroman swarm over Airbus planes belonging to JetBlue Airways (JBLU), US Airways (LCC), and Ukraine's Donbassaero, checking electrical systems, replacing carpets, and examining engines and flaps for signs of corrosion or defects. Just outside, more jets from US Airways and Air Tanzania wait their turn. Why the rush to this tiny Central American country? Starting pay at Aeroman in El Salvador is around $4,500 a year, while veterans take home perhaps $15,000. In the U.S., airplane mechanics earn an average of $52,000 annually.

These days, Aeroman and companies like it have plenty of customers. As airlines scramble to cut costs, outsourced repair shops—both in the U.S. and abroad—now handle two-thirds of all maintenance for American carriers, the U.S. Transportation Dept. says, up from 30% in 1997. Airline maintenance has become a $42 billion-a-year business, with countries such as Dubai, China, Korea, and Singapore making enormous investments to attract such work. While there's some concern about the 4,181 maintenance operations in the U.S., the bigger worry is over the 700-plus foreign shops overseen by the Federal Aviation Administration. Beyond those, there are numerous other shops not certified by the FAA that offer airlines various maintenance services.

Georgia patients' records exposed on Web for weeks

A company hired by the state of Georgia to administer health benefits for low-income patients is sending letters to notify tens of thousands of residents that their private records were exposed on the Internet for nearly seven weeks before the error was caught and corrected, a company representative said Thursday.

The records of as many as 71,000 adults and children enrolled in the Medicaid or PeachCare for Kids programs were inadvertently posted on February 12, said Amy Knapp, a spokeswoman for the company, WellCare Health Plans, whose headquarters are in Tampa, Fla.

The company learned on March 28 that the information was publicly accessible, Knapp said, and it took five more days to remove all the data, which included names, Social Security numbers, birth dates, Medicaid or PeachCare for Kids numbers, and dates of eligibility for insurance programs.

An employee who was updating information for the Georgia Department of Community Health posted the normally secure data to an unsecured Web site by mistake, Knapp said.

Lisa Marie Shekell, the department's communications director, said there was no evidence that any of the information had been improperly used.

WellCare Health Plans has offered to pay the patients for credit-monitoring services for a year, Knapp said.

This is the second time in a year that records for Medicaid and PeachCare for Kids participants in Georgia have been compromised.

Last April, the Department of Community Health announced that a different private contractor had lost a computer disk containing data on 2.9 million people. The disk, which was apparently lost in the mail, was never recovered.

"It is probable that some of those same individuals affected by last year's incident were also affected by this latest breach," Shekell said, though administrators had not yet determined exactly how many people were affected in both cases.

Apr 14, 2008

Take your data to the racetrack says IBM

An IBM research breakthrough could let storage devices hold hundreds of times more information than they handle today with technology IBM calls "racetrack memory," which stores data as a magnetic pattern on a nanowire 1,000 times finer than a human hair.

Here's how it works: spin polarized electrical currents cause the magnetic pattern to race along a wire track, from which data can be read or written -- in either direction - in less than a nanosecond.

"Data is written by placing a second nanowire with a special pattern on it near the first nanowire," according to an IBM video describing the research. "The data on the first nanowire can be changed by moving the pattern along the second wire. The racetrack memory would stand thousands of nanowires around the edge of a chip, potentially allowing for hundreds of times the amount of storage in the same space as today's memory."

IBM researcher Stuart Parkin and colleagues at the IBM Almaden Research Center in the US described the breakthrough in two papers in the April 11 issue of the journal Science.

Researchers have looked for ways to store information in magnetic domain walls for nearly half a century, but ran into roadblocks that made such storage schemes expensive, complex and inefficient, according to an IBM press release.

Parkin and colleagues discovered that by leveraging the interaction of spin polarized current with magnetization in the domain walls, the memory device can be simplified and hold far more information and in the same amount of space as today's technology. Such memory would also deliver "lightning-fast boot times," IBM says.

The researchers project that within the next 10 years new solid-state storage devices based on racetrack memory will hit the market, enabling, for example, an MP3 player that can store 500,000 songs or 3,500 movies.

"The devices would not only store vastly more information in the same space, but also require much less power and generate much less heat, and be practically unbreakable," IBM says. "The result: massive amounts of personal storage that could run on a single battery for weeks at a time and last for decades."

Today, information is generally stored either on flash memory or magnetic hard disk drives. Hard drives, with numerous moving parts, are slower than the solid state flash drives, but have the advantage of being about 100 times less expensive, IBM notes.

Racetrack memory combines the benefits of each type of storage, according to IBM, and will last much longer than flash memory, which slowly deteriorates each time data is rewritten and can break after several thousand reuses.

By storing data using the spin of electrons, racetrack memory can be rewritten endlessly without ever wearing out, IBM says.

Apr 11, 2008

Omron shows smile-measuring technology for cameras, robots, medicine

The breadth of a smile can be measured by new technology from Japanese electronics and health-care company Omron Corp.

The software technology, shown to reporters Thursday, scans a video image to detect faces, and can find up to 100 faces in an image, according to Yasushi Kawamoto of Omron.

"Okao Catch," which means "face catch," then analyzes the curves of the lips, eye movement and other facial characteristics to decide how much a person is smiling using data collected from a million people and their smiles, he said.

In a demonstration, a camcorder took videos of journalists covering the announcement. Percentage numbers indicating how much each person was smiling popped up in bold blue letters next to their faces on a monitor, flashing higher or lower as their expressions changed.

The numbers ranged as high as 89 percent for a person who was grinning, while a somber face registered 0 percent.

Telstra versus the Androids


Sensis' plans for world domination mean you're unlikely to see Google Android phones on Telstra's Next G network anytime soon.
android.jpg

Android is Google's operating system for mobile phones, which is expected to hit the market in a few months - running on phones from the likes of HTC. Naturally Android will tie in seamlessly with Google's growing suite of location-based services, which are already rolling out in Australia.

Of course Telstra's subsidiary Sensis - owner of the Whereis online mapping service plus the White and Yellow Pages - has its own plans for mobile location-based services. If Sensis' useless White Pages site is anything to go by, Google has little to worry about.

When I had coffee with HTC's Aust & NZ managing director John Featherstone late last year he was keen to talk about Android. This week I caught up with i-mate's Australasian brand manager Allison Caruk and it was a very different story. Originally i-mate was one of a number of phone makers that rebadged HTC phones, but now HTC has decided to go it alone. i-mate recently released its own phones, the i-mate Ultimate 9502 and 8502, which are available exclusively on Telstra's Next G network running Windows Mobile 6.

i-mate has a tight partnership with Telstra and is a closely involved with Sensis' Whereis Mobile pilot project. Until this project is ready to roll, i-mate is shipping its new GPS-enabled phones without mapping software - which must annoy buyers. Over coffee, Caruk talked down any interest in Android and went as far as to say "we don't see it as a threat". This may be the case, but I'd be surprised if Telstra doesn't see Android as a threat. When Google's Midas touch reaches Australia's mobile phone market, few have more to lose than Sensis.

i-mate is obviously reluctant to bite the Telstra hand that feeds it, but competitors such as HTC have big plans for Android. If Android does make a splash in Australia, i-mate's loyalty to Telstra could see it go down with the ship. Are you keen to get your hands on Android? Do you want to see it on Next G?

Apr 10, 2008

Karen Dearne: Labor to revamp Privacy Act

THE Rudd Government is ready to overhaul the 20-year-old Privacy Act and build a privacy regime to serve modern Australia, Special Minister of State John Faulkner has told a business breakfast marking the 1988 introduction of federal privacy laws. Senator Faulkner said the government's approach to privacy reform will be based on the long-awaited Australian Law Reform Commission report, due for release next month.

"The ALRC has conducted a comprehensive inquiry into the Act's effectiveness, and considered at length issues such as creating uniform private regulations along with reducing compliance burdens on business," he said. "Consistency is essential if people are to be fully aware of their privacy protections, and for government and business to readily comply with their obligations.

"It is also timely to consider whether the Act continues to provide an effective framework for privacy protection given the rapid advances in information communication and storage, surveillance and other technologies. The ALRC has been looking a how the concept of privacy in Australia has evolved and community perceptions have changed with the introduction of sophisticated technologies such as CCTV and biometrics, and examining whether privacy regulations should extend beyond the protection of personal data alone."

Senator Faulkner said the ALRC's recommendations would be available to the government in a matter of weeks, "and with the benefit of that will look at a range of issues", including the need for data breach notification laws raised in a private members' bill presented by Democrats senator Natasha Stott Despoja late last year. Tighter rules on cross-border data flows have also been flagged

Apr 7, 2008

When returns fom Google approach zero

BEING sucked into expensive marketing campaigns is a far too common mistake for businesses, and occurs due to a lack of understanding. Partners in business development firm Achievers Group, they are not fans of advertising and branding when it comes to priorities for their business clients, small and large. Being sucked into what the pair call "silver bullet'' marketing, which usually entails expensive advertising and logos and a new website and signage, is a far too common mistake smaller businesses make, they say.

This occurs because the business owner doesn't understand marketing. "The key to success in business is making sure that you understand the power of marketing. Marketing is not ads, a logo, a website or brochures. Branding and 'brand recall' is a myth. "Marketing is using effective strategies to increase the number of inquiries into the business, to improve the average transaction and to retain existing customers,'' Mr Gattari says.

"You don't do marketing when things are bad, you do it consistently. You need to check and measure every marketing activity with brutal efficiency. "And you need to test and measure marketing on the variables that make up profits, not on rubbish concepts like brand recall, which means nothing to people who are running businesses. Brand recall doesn't pay wages or put food on the table.''

The variables against which the efficiency of marketing campaigns should be measured, says Mr Gattari, are the building blocks of profit: things like conversion rates, average dollar sale, frequency of sales, gross margins and leads. "Take advertising, which is one of the most basic methods of marketing. Forget the brand recall, you've got to measure whether you're getting any sales growth, and how many leads are being generated,'' he says.

"In most businesses, the function of advertising is to generate leads. A lead is an interested contact. One of the best places to measure the effectiveness of advertising is in leads. Don't use a marketing strategy until you can measure it.

"How many more phone calls are you getting, how many more online inquiry forms are being filled out, how many more people are coming through the door?''

Too many business owners approach marketing unsure of what they actually want from it, says Mr Gattari.

"You have to understand very clearly what you want - the objectives that you want to achieve. It shouldn't be 'I want to grow sales' - you have to know exactly by how much you want to grow sales,'' he says.

"Then, you've got to take massive, extraordinary amounts of action. Not every strategy that you apply is going to work. The key is to try a lot, to determine what works. Then, it is critical that you measure what you're getting from those strategies.

"Anything that doesn't work, and which you have executed correctly, eliminate it immediately. If something works, don't just celebrate the fact that it's working. Document exactly what it is that you've done, so you can train others to do it.

"If you don't train others how to do it, the business can't grow past yourself.''

Mr Gattari and Mr Mooney have just released a book, Marketing Success, which sets out their philosophy.

Examples include a proactive referral system, because "every customer has friends'', and taking the time to work out who is your target market: who makes the decision to buy your product and service.

Mr Gattari and Mr Mooney are "huge fans'' of strategic alliances and co-marketing, where organisations that deal with the same client can share expenses.

"Approach your suppliers. If you're running a campaign that promotes their products, ask them to contribute half of the cost,'' Mr Gattari says.

"You've got to sell the vision and make sure that the supplier sees it as an attractive proposition. The key is to get the money for the campaign out of the marketing budget of the larger company, because it ultimately helps them.''

And if you want to advertise and build your business's brand, well, that's OK, in the right circumstances.

"Just remember to test and measure it to the nth degree,'' he says.

Apr 6, 2008

Why Google Apps Could Lose the Enterprise Market

Lately, we've been discussing the concept of tech populism and the how enterprises are moving towards a more people-centric focus when it comes to their IT infrastructure. Although we support this movement of bringing social tools into the workspace, one could argue that there's a right way and a wrong way to do this. For some, it's a matter of introducing social or collaborative features into enterprise software; for others, like WorkLight, it's about adapting existing consumer tools for the enterprise.

In both of these scenarios, the IT department is still involved in the process of the introduction and deployment of the new capabilities. On the other hand, Google is trying a completely different approach: subvert the IT department altogether and appeal directly to the worker.
Google's Strategy in the Enterprise

While this approach may work in the enterprise space in the short term, in the long run, they're alienating the very people whose alliances they need in order to become a success. Today, with Google's announcement of Google Sites, the blogosphere is already comparing the product to Sharepoint and trying to drive nails into Microsoft's coffin. I'd argue that it's far too soon to claim that Google is offering anything that really has a shot at making a dent in the enterprise world.

As an online suite of applications, email, calendaring, IM, and even security and compliance with Postini's help, Google Apps is off to a good start as being a suite that really has it together. For the small to medium size business, you could say that Google makes a strong offering as a more affordable alternative to Microsoft Servers and applications. However, it's a big jump from offering tools to a mom-and-pop as compared with a global, Fortune 500 company.

Google is actually going about marketing to the enterprise market in a pretty ingenious way - they're not. Instead, they're bypassing the IT department (who would, in all honesty, probably laugh at the thought) and marketing their suite on the sly directly to the employees themselves: "Are the tools provided by your IT department too unwieldy to use? Is IT to slow to respond to your needs? Then forget IT and use Google Apps instead!" This is definitely a good plan for Google in the short term, but it's not one that is going to be good for them in the long run...especially when IT catches on to what their users are doing.

Take the new Google Sites, for instance. Ben Worthen's commented in today's Wall Street Journal about the product:

"Setting up sites like this has traditionally required help from the information-technology department. Google boasts in its press release that workers can set up a site 'without having to burden IT for support.' We love that phrase: It’s a bit like showing a teenager how to sneak out of the house and calling it a way to go out without burdening parents by letting them know. It also speaks volumes about Google’s strategy for breaking into businesses. The company is intentionally bypassing tech departments, which might object to Google hosting their business’s sensitive information. Instead, the company is appealing directly to the average worker, who doesn’t want to have to wait months for IT to have the time and money for their project. So while it will probably fill IT pros with visions of sensitive corporate data flowing out of their businesses, Google’s business model isn’t dependent on winning techies over."

A previous WSJ article also reported Dave Girouard, who runs Google’s enterprise unit, as saying this about what his company is doing: "We’re wrestling over who should have ultimate authority of the technology people use in the workplace. There’s no right or wrong answer so we have to respect everyone’s view."

Let's read between the lines of that last statement...Google doesn't think IT should have the ultimate authority about the tools people use to do their jobs. There's "power to the people," (tech populism) and then there's a total coup-d'etat. Google's opting for the latter.

Network World agrees: "By killing the admin function, Google is trying to change the culture of software usage - the power structure, if you will. Taken to extremes, such a structure means that no longer will IT be the law enforcement officers of policy."

Apr 2, 2008

Tooth Regeneration May Replace Drill-and-Fill

The next time your children get cavities, they might get tooth regeneration instead of fillings.

That's because materials scientists are beginning to find just the right solutions of chemicals to rebuild decayed teeth, rather than merely patching their holes. Enamel and dentin, the materials that make teeth the strongest pieces of the body, would replace the gold or ceramic fillings that currently return teeth to working order.

"What we're hoping to have happen is to catch [decaying teeth] early and remineralize them," said Sally Marshall, a professor at the University of California at San Francisco. Marshall gave a talk last week at the spring meeting of the Materials Research Society on rebuilding the inner portions of teeth.

While regrowing your uncle's toothless grin from scratch is still a decade away, the ability to use some of the body's own building materials for oral repair would be a boon to dentists, who have been fixing cavities with metal fillings since the 1840s. Enamel and dentin are remarkably strong and long-lasting, and they can repair themselves. But as scientists are continuing to find out, dentin in particular is a remarkably complex structure.

The outer covering of teeth is enamel. The body makes it by growing tiny mineral crystals in a highly regular crystal lattice. Underneath that ceramic-like covering, dentin is like hard clay reinforced by fibers of collagen, similar to the way adobe bricks contain clay reinforced by straw fibers.

"The tooth is a beautiful structure," said Van Thompson, dentistry professor and chairman of New York University's Department of Biomaterials and Biomimetics.

But teeth, because they are made from minerals, are susceptible to what is essentially erosion. Acids, like those produced by bacteria or Coca-Cola, demineralize the enamel of the teeth. Usually the body is constantly repairing small amounts of damage, Marshall said. But when the body's defenses become overwhelmed, bacteria break through into the dentin below, and you get tooth decay, commonly called a cavity.

The acid produced by the bacteria eats into the minerals in the dentin, turning it mushy and useless. Normal dentin is twice as stiff as pinewood, but damaged dentin is more like rubber, which makes it pretty hard to chew with.

Marshall's newest work, which has been accepted for publication in the Journal of Structural Biology, focuses on regrowing dentin in damaged teeth with the help of a calcium-containing solution of ions (electrically charged particles).

By putting a layer of the solution on individual test teeth, Marshall has already been able to remineralize some parts of the teeth. The challenge is to get the crystals to regrow throughout the dentin.

To heal properly, the crystals need to form from the bottom of the tooth up to the enamel. Marshall isn't sure whether that's happening yet, but she is confident that she'll find a way to restore dentin functionality over the next few years.

Stephen Bayne, professor of dentistry at the University of Michigan, noted that while many groups are working on regrowing teeth, Marshall has "incredible stature" in dentistry for her groundbreaking work helping dentists understand the structure of the tooth.

Still, even with the recent progress, the very complexity that Marshall and other researchers have discovered in the humble tooth is likely to keep her technique out of your local dentist's office for a few more years.

"We're still a ways from being able to grow back dentin and enamel," Bayne said.

Apr 1, 2008

IBM Hit With Temporary Contract Ban

IBM Corp. has been temporarily banned from new federal contracts as prosecutors examine interactions between employees of the company and the Environmental Protection Agency.

The suspension went into effect last Thursday "while the agency reviews concerns raised about potential activities involving an EPA procurement," the agency said Monday in an e-mailed statement. Under a reciprocal agreement among federal agencies, when one issues a ban, the others follow it.

EPA said it will not comment further on the matter.

IBM said it was cooperating with the U.S. Attorney's Office for the Eastern District of Virginia, which served grand jury subpoenas seeking documents and testimony relating to the EPA contract.

Armonk, N.Y.-based IBM does business with all corners of the government, though the Defense and Homeland Security departments are much bigger customers than the EPA, according to federal spending databases. Last year IBM's contracts amounted to at least $1.3 billion, roughly 1 percent of its 2007 revenue.

IBM spokesman Fred McNeese said the company is still talking with the EPA about the alleged violation and would not describe the contract that IBM was bidding on that led to the suspension.

Cybercrime Book Excerpt: Zero Day Threat


When a shadowy Nigerian national with the nickname Mr. O finagled his way into the vast files of data broker ChoicePoint in 2003, he struck a mother lode of confidential information -- by internal ChoicePoint estimates, records of up to 4.3 million individuals.

By the time ChoicePoint publicly disclosed what was then the largest data-security breach, the FBI and Los Angeles police were investigating, lawmakers demanded hearings, and ChoicePoint vowed to remake itself. Some privacy advocates insisted the incident would underscore the dangers of data theft and ID fraud.

And yet, data breaches got bigger and broader in the intervening years, as Internet-based commerce and social networking inexorably expand. Since ChoicePoint, online scammers have repeatedly victimized corporations and their customers. The most audacious was the theft of records of as many as 94 million credit card transactions from giant retailer TJX, parent of 2,500 TJ Maxx and Marshall's stores.

Amid the wholesale rip-off of consumer data through cybercrime, USA Today reporters Byron Acohido and Jon Swartz began investigating the evolution of hacking from harmful pranks to a $100 billion-per-year criminal enterprise worldwide. Their resulting book, Zero Day Threat, examines the con men and cybercrooks who are exploiting security holes in online banking and shopping services.

What is more, the book asserts the real culprits are the stars of our financial and technology industries, corporations like Wells Fargo and Bank of America and the Big Three credit reporting agencies, Equifax, TransUnion and Experian, as well as tech giants Microsoft, Google and Apple. These corporate stalwarts have leapt headlong into exploiting the Internet for profits, and, in doing so, created fresh criminal opportunities, which, for self-serving reasons, they proactively downplay to the public.

In this excerpt, the authors explain how Mr. O illegally gained access to personal data stored by ChoicePoint, and how he distributed it to a shadowy network of cybercrooks.

Exclusive: The next Facebook privacy scandal


Facebook is no stranger to the complaints of privacy activists. First, it was the site's News Feed feature back in 2006. Most recently, the company's Beacon service drew widespread criticism. This blog post will outline yet another major privacy issue, in which Facebook recklessly exposes user data.

Facebook launched its widely popular application developer program back in May 2007. As of press time, there were more than 14,000 applications. Some, including most of the popular apps, are made by companies, while a few of the popular apps, and a significant number of the long tail of the less popular applications are made by individual developers.

But a new study suggests there may be a bigger problem with the applications. Many are given access to far more personal data than they need to in order to run, including data on users who never even signed up for the application. Not only does Facebook enable this, but it does little to warn users that it is even happening, and of the risk that a rogue application developer can pose.

Privacy problems for the user

In order to install an application, a Facebook user must first agree to "allow this application to...know who I am and access my information." Users not willing to permit the application access to all kinds of data from their profile cannot install it onto their Facebook page.



What kind of information does Facebook give the application developer access to? Practically everything. According to the Application Terms of Service,

"Facebook may...provide developers access to...your name, your profile picture, your gender, your birthday, your hometown location...your current location...your political view, your activities, your interests...your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history,...copies of photos in your Facebook Site photo albums...a list of user IDs mapped to your Facebook friends."


The applications don't actually run on Facebook's servers, but on servers owned and operated by the application developers. Whenever a Facebook user's profile is displayed, the application servers contact Facebook, request the user's private data, process it, and send back whatever content will be displayed to the user. As part of its terms of service, Facebook makes the developers promise to throw away any data they received from Facebook after the application content has been sent back for display to the user.

Researchers blast Facebook

Some applications may make use of all this data, but as researchers from the University of Virginia have detailed in a recent report, Facebook provides applications with access to far more private user information than they need to function. Adrienne Felt, a student and lead researcher on the project, told me that of the top 150 applications they examined in October 2007, "8.7 percent didn't need any information; 82 percent used public data (name, network, list of friends); and only 9.3 percent needed private information (e.g., birthday). Since all of the applications are given full access to private data, this means that 90.7 percent of applications are being given more privileges than they need."

General Dynamics UK touts near real-time 3D maps for soldiers

In the near future, soldiers may be using maps that are more akin to long-range but highly accurate security cameras: the maps will enable troops to see both the exterior and interior of buildings, as well as streets and larger areas, as they appeared just minutes ago.

The technology, designed by General Dynamics UK Limited, is called Masthead and is part of the company's UrbanISTAR concept. The company plans to debut the urban intelligence system this week at the SOFEX 2008 exhibition in Amman, Jordan.

The system uses infrared laser technology known as LIDAR (Light Intensity Direction and Ranging). By combining LIDAR sensors with thermal imaging and X-ray backscatter techniques, the General Dynamics researchers can fuse the data from these systems to create near-real-time 3-D pictures of buildings and streets. With the addition of radar, the system could even detect objects and people inside buildings.

All this equipment is carried in the back of a military vehicle, undercover civilian 4x4, or even a plane, as it drives or flies through an area. As the vehicle moves forward, the LIDAR system scans the scene with the infrared laser, measuring the distance to objects and creating a 3-D map.

With the map, troops could plan urban operations, identify targets, and determine the best routes to take when approaching terrorist sites. Soldiers could virtually walk through buildings to rehearse operations. Since the LIDAR system provides measurements of doors, windows, and alleys with millimeter accuracy, the technology could even be used for the targeting of weapons. Such maps would be much more useful than outdated conventional maps or 2-D aerial images.

"You can utilize [the Masthead system] in any number of ways," according to a recent article in Dynamics, the company´s quarterly publication. "You can, for example, employ it like the worlds created in a computer game to ´walk´ through the scene, perhaps to understand what can be seen from a particular doorway or window. ... The key thing is that the data underlying the map is only minutes old."

In addition to combat applications, the system could also be used for civilian applications. For example, a police force could use the technology when planning security measures for an upcoming event at a large sports stadium, determining the best evacuation routes in the case of an emergency.

Andrew Colley: Techies snubbed for 2020 summit

MANY of Australia's best-known internet and information technology visionaries will be left out of the debate on the country's future when the Labor Government's 2020 Summit meets in April.

None of the board members of the three most prominent industry bodies are invited to the summit in spite of the event's strong focus on the digital economy and infrastructure.

No members of the Australian Information Industry Association, the Internet Industry Association or the Australian Computer Society have been invited.

Donna Ashelford, president of the System Administrators Guild of Australia, said at least four names she expected to be on the final list were absent.

"I'm surprised at the number of missing names. I would have expected more representation from the major internet service providers," Ms Ashelford said.

"I was expecting perhaps Internode managing director Simon Hackett or iiNet chief executive Michael Malone."

A few names familiar in ICT industry circles are on the list, including Swinburne University of Technology chairman and former Telstra senior executive Bill Scales, current Telstra chairman Donald McGauchie and former Microsoft Australia managing director Steve Vamos.

IT luminary and former Fujitsu executive Neville Roach also made the list alongside CSIRO chief executive Dr Geoff Garrett and Dr Terry Cutler, who was recently appointed to head up Science and Industry Minister Senator Kim Carr's national innovation review.